Table of Contents

Introduction

Black Duck supports scanning images stored in the Amazon Elastic Container Registry (ECR).  Image scan results are sent to your dedicated Black Duck instance providing vulnerability, license, and operational risk results on the open source software components identified in the ECR image.

There are two ways to scan container images in ECR:

These methods are described as follows:

Using Synopsys Detect on a local workstation

Before you can scan images in ECR using Synopsys Detect, ensure that the following requirements are met:

To scan container images locally that are stored in ECR, follow these steps:

  1. Authenticate with ECR. ECR uses authentication tokens that expire after 12 hours. The ecr get-login command generates a docker login command with authentication credentials.

    aws ecr get-login --region region --no-include-email | sh


  2. Invoke Synopsys Detect, and configure at least the following:

    bash <(curl -s https://detect.synopsys.com/detect.sh) \
--blackduck.url=<URL> \
--blackduck.api.token=<token> \
--detect.docker.image=<Image URI> \
--detect.project.name=<Project Name>


  3. On scan completion, navigate to the project version in Black Duck to view the scan results.
     

Using the CodePipeline Custom Action

  1. Before you can scan images in ECR using a CodePipeline Custom Action, ensure that you add your Black Duck credentials to the AWS Parameter Store.
  2. Follow the instructions for the AWS CodePipeline Custom Action
  3. Create the Pipeline by using ECR as the Source, and configure the following information in the Black Duck Custom Action step:



Tip: Using the latest tag when specifying the image name allows triggering a re-scan when a new version of the image is pushed to the registry. To use this, ensure that an image with the latest tag exists in your registry.